Known as FunLove, the virus was first discovered in November 1999 and is known for its ability to infect Windows NT servers--in addition to computers running Windows 95, Window 98 and Windows Millennium Edition--by posing as a system program. The virus also spreads automatically throughout a network via any hard drives shared with the infected system.
Though managers at the company did not yet know how the virus got in, they did figure out where the infection started.
"We have standard corporate policy that every server that has (a) business function needs to have antivirus software installed," said Kurt Powers, product manager for the Gold and Premier support sites at Microsoft. "There was one in a chain that did not."
The particular server was part of Microsoft's Premier and Gold support network, which provides almost 30,000 updates and bug fixes to Microsoft's top customers, he said.
The server had been carrying the virus and infecting downloaded files for almost a day starting April 19, until Microsoft located the infection and shut down the server April 20. During that time, only 170 files were downloaded, Powers said.
"We have a limited scope; we know exactly when the virus infected," he said.
Powers would not comment on whether the virus had spread through Microsoft's internal network, but said, "We also checked every workstation that is connected to every server."
Microsoft notified customers with a mass e-mailing Monday, and by late Wednesday had narrowed down the potentially infected organizations to 26, based on the user names used to download the files. Company representatives were in the process of calling those specific customers, said Michelle D'Amour, manager of Microsoft's product support services.
"Now that we know who downloaded the files, we are having the account manager call each one," said D'Amour.
For the most part, the 1.5-year-old virus should not cause much of a fuss, said Alan Paller, director of research for the Systems Administration Networking and Security (SANS) Institute, who received notice of the incident Monday.
Paller noted that customers who use Microsoft's Premier support are generally the ones that also have site licenses to antivirus software and thus are the most prepared for viruses.
"They are the least likely to be hurt by it," he said. "It is more of a 'How did this happen?' problem for Microsoft than a security threat for its clients."
The answer to that question is an important one, as Microsoft, antivirus software companies and others are moving toward fully automating the updating of their software.
If a virus infected an automatic update, rather than up to 170 customers downloading the infected software, potentially hundreds of thousands of customers could be affected.
While Powers vowed such a problem would never happen again on his watch, he wouldn't comment on whether Microsoft would take another look at its security or not.
"I can only speak to the scope of this particular situation," he said.